Any user being KeyCapture-logged must have been authorized by the system manager for KeyCapture logging since sensitive, non-echoed input data might be logged. Rights-list Identifiers are used to specify who may be logged with KeyCapture. The Rights-list Identifier used is KCAP$INPUT_LOGGER. To use KCAP/TRACK, the user must hold the Rights-list Identifier KCAP$INPUT_LOGGER. KeyCapture 5.1.14 suppresses logging of passwords entered with the DCL SET PASSWORD command, and for SET HOST, SET HOST/LAT, SET HOST/TELNET, SET HOST/DTE, and SET HOST/RLOGIN. It also suppresses logging of passwords for LOGINOUT.EXE and VMS's TCPIP FTP and TELNET commands. The programs pointed to by the VMS logicals OPENVMS$FTP, OPENVMS$RLOGIN and OPENVMS$TELNET are now included in the list of standard programs which do not log non-echoed input. The 5.1.14 release of KeyCapture also allows the system manager to add additional programs to the above list of programs for which passwords aren't logged. See the section in KCAP_DEFAULTS.COM concerning Special Images. PLEASE NOTE: KeyCapture will record passwords and other non-echoed input for programs other than the above. USE WITH CAUTION on any sensitive accounts or systems if you have programs other than the above which are password protected. When logging-in to another system with any of the SET HOST commands (including TELNET), KeyCapture does not log any characters which are input to the remote system. KeyCapture does log the fact that input was entered, but the characters themselves aren't logged. Since the input is going to another system, this doesn't compromise the security of the system on which KeyCapture is running. If the remote system is running VMS, KeyCapture can be used on that system to log the input without jeapordizing password security for the remote system. To protect passwords, input keystrokes are also suppressed for the MS_SERVER process which is used as part of NDC's MultiSessions product on ALPHA systems. This makes the /NOBACKGROUND and /NOSINGLE_WINDOW and /NOWINDOW commands obsolete for KeyCapture. (These commands remain valid for NDC's Peek & Spy product.) KeyCapture does record the input for each individual MultiSessions session. GREAT CARE SHOULD BE USED WHEN GRANTING USERS THE KEYCAPTURE RIGHTS-ID, SINCE THIS ALLOWS LOGGING OF NON-ECHOED INPUT. Precautions are taken in KeyCapture to avoid logging VMS passwords BUT PARTICULARLY FOR THIRD-PARTY SOFTWARE, THERE IS THE POSSIBILITY THAT NON-ECHOED INPUT LOGGED BY KeyCapture COULD CONTAIN PASSWORDS.
1 – Rights-IDs
KeyCapture logging is authorized for specific users by granting them the proper rights-ids. For KCAP/TRACK/ the rights ID is KCAP$INPUT_LOGGER. To add these identifiers to the system rights database use the AUTHORIZE commands ADD/IDENTIFIER KCAP$INPUT_LOGGER. To then grant these identifiers to specific users, use an AUTHORIZE command in the form of GRANT /IDENTIFIER KCAP$INPUT_LOGGER J_JONES A program and command file are provided in the KeyCapture distribution to help the system manager set up the KCAP$INPUT_LOGGER rights-id on the system. See KCAP$LOCATION:KCAP_GRANT_ID.COM for details. GREAT CARE SHOULD BE USED WHEN GRANTING USERS THE KEYCAPTURE RIGHTS-ID, SINCE THIS ALLOWS LOGGING OF NON-ECHOED INPUT. FOR THIRD-PARTY SOFTWARE, IT IS POSSIBLE THAT THIS NON-ECHOED INPUT COULD CONTAIN PASSWORDS.